diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2016-05-01 21:57:23 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2016-05-01 21:57:23 -0700 |
| commit | 112aa0b16bcc53b06633dfb9878194f6d59ada4d (patch) | |
| tree | 257e222223c12972ced5debe4709c9196694e972 /sysif.h | |
| parent | 7f1562fbf9262270b31d1007e400dd6605d81f99 (diff) | |
| download | txr-112aa0b16bcc53b06633dfb9878194f6d59ada4d.tar.gz txr-112aa0b16bcc53b06633dfb9878194f6d59ada4d.tar.bz2 txr-112aa0b16bcc53b06633dfb9878194f6d59ada4d.zip | |
Fix somewhat broken setuid privilege dropping.
* sysif.c (repress_privilege): Eliminate redundant
getuid call.
(drop_privilege): On some platforms,
setuid(getuid()) will not drop setuid non-root privilege. This
is fixed by using setresuid, if we have it, which we do on
Linux. On platforms where we don't have setresuid,
we try setuid(getuid()). Then after that if we are able
to change our effective user ID to the one we dropped,
we conclude that it didn't work and abort.
(simulate_setuid): Call drop_privilege instead of
repeating the naive privilege-dropping logic.
Check the result of seteuid; if it fails, then
drop privilege! Otherwise a txr that is setuid bob
will continue running as bob, if it fails to enact
setuid on a script owned by alice.
* txr.1: Rewrite SETUID OPERATION section in an attempt
to clarify the wording, fix formatting issues, and
describe the current implemenation of privilege dropping.
Diffstat (limited to 'sysif.h')
0 files changed, 0 insertions, 0 deletions